April 17, 2013

Software Apps Could Make Mobile Operating Systems Vulnerable

Any computing device is only secure as its software. While the core operating system could be secure, software that is installed on top of it could introduce holes into the security. This has long been a problem with desktop and laptop computers, and software developers have often had to plug such holes.

Just this week, Oracle Corp. released an update for its Java SE software that resolves at least 42 security flaws in the widely used browser plugin. However, the problem isn´t just limited to desktops. Just as plugins have created holes in desktop/laptop browsers, apps could now be creating new security holes in mobile phones.

Researchers at University of California, Davis have found security flaws in popular texting, messaging and microblog apps developed for Google´s Android smartphone platform. These flaws could expose private information and even allow forged fraudulent messages to be posted the researchers have warned.

These apps feature vulnerabilities because the developers apparently left part of the code public, and this should have been locked up, alleges Zhendong Su, professor of computer science at UC Davis.

“It´s a developer error,” said graduate student Dennis (Liang) Xu, who had collected about 120,000 free apps from the Android marketplace. “This code was intended to be private but they left it public.”

The team has since notified the app developers of the problem, but has not yet received a response.

The security flaws can be opened when a mobile handset owner downloads the malicious code onto a handset. This code could be disguised as, or even hidden within, a seemingly useful app. It could also be attached to a “phishing” email or accessed inadvertently through a website. Regardless of the delivery method, this code could invade the vulnerable programs.

Su and Xu, along with UC Davis graduate student Fangqi Sun and visiting scholar Linfeng Liu from Xi'an Jiatong University, China, have reported that many of the apps surveyed for the study were found to have potential vulnerabilities. This included numerous major applications.

One included Handcrent SMS, a popular text-messaging app that reportedly allows users to place some text messages in a private, password-protected inbox. The researchers found that malicious code could take advantage of a security flaw and allow an attacker to access and read personal information, including those stored in the so-called “private” inbox.

It was also noted that some of the apps are very popular in China, and included the WeChat instant messaging service that is similar to Yahoo and AOL instant messages; and Weibo, a popular microblog that has been described as the Chinese equivalent of Twitter. Both of these programs could be vulnerable, where by malicious code could turn off the app or even post fraudulent messages.

The researchers focused initially on the Android platform, as it has about a half-billion users worldwide and remains the most popular mobile OS. The UC Davis team noted that Android, which is based on open-source technology, has key differences from Apple´s more closed iOS platform, but stressed that the iPhone may not be free from such security holes.